Professional Documents
Culture Documents
January, 2011
Brian McLean, CISSP Sr Technology Consultant, RSA
DMZ
Security team cannot see into the IT environment. Overwhelming to process raw log and event volume. Real-time security posture is difficult to understand. Compliance is timeconsuming.
Non-intrusive log collection to access all event sources. Complete information lifecycle management process. Real-time risk-based prioritization of events. Compliance reports in minutes not weeks.
Enhancing Security
Real-time security alerting and analysis
Forensics
Alert / correlation
Network baseline
Visibility
security devices
network devices
applications / databases
servers
storage
Simplifying Compliance
Robust Alerting & Reporting
1400 reports+ included out of the box Easily E il customizable t i bl Grouped according to standards, e.g. National Laws (SOX, Basel II, JSOX), Industry Regulations (PCI) (PCI), Best Practices & Standards (ISO 27002, ITIL)
Enhancing Security
Support the 3 key aspects of Security Operations
SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources. sources This technology is used to filter incident information into data that can be acted on for the purposes of incident response and forensic analysis. Mark Nicolette, Gartner
EMC Celerra
System Shutdown
System Failure
Benefits
Turns raw log data into actionable information Increases visibility into security, compliance and operational issues Saves time through compliance reporting Streamlines the security incident handling process Lowers operational costs
Why enVision?
Any Data - Any Scale
Collection of any type of log data, real-time correlation, and best-in-breed scalability Appliance form factor, agentless architecture Flexible but simple customization Comprehensive combination of event sources, correlation rules and reports Frequent updates to security knowledgebase Broad partner eco-system of strategic technology partners plus front-line security and compliance expertise Unparalleled installed base of more than 1600 production customers Active online customer Intelligence Community for shared best practices and knowledge Single strategic vendor with strong balance sheet Simplified IT operations, single point of contact, and global customer support Integration with RSA and EMC solutions (e.g. Access Manager, Authentication Manager, Voyence, Celerra, Symmetrix)
Simplifying Compliance
Compliance challenges
Historically compliance processes involved dedicated resources performing multiple tasks, manually and repetitively
The process for Data collection was as long and laborious Valuable Data was often missed or not included Analysis and reporting was expensive and slow, and involved multiple log collection and analysis tools
Companies struggle to keep pace with understanding and complying to relevant laws and regulations
EU CDR
FISMA
FACTA
FFIEC
IRS 97-22
NISPOM
ACSI 33
NIST 800
Event Taxonomy
Hierarchical structure, 10
top level t l l categories, t i 250 total categories
If it is compliant with regulations and laws What it needs to do to become compliant To show/ T h / prove that th t it is i compliant li t to auditors To provide evidence on compliance that can be used in a court of law
Agenda
Detecting High-Risk Incidents Streamlining the Incident Handling Process Measuring M i th the V Value l of f Security Operations
! !
RSA enVision collects all l d log data f from almost l any third party device
Asset Context
Unusual authentication or access control issues, like multiple failed logons, or unauthorized system accesses
RSA enVision allows import of data about IT assets from asset management systems
High Risk Detect new high risk Vulnerabilities vulnerabilities on and Threats critical assets, , or likely y attacks on vulnerable hosts Suspicious Network Activity Unusual deviations in network behavior, or network activity that violates policy
RSA enVision provides ability to define correlation rules, , watchlists of dynamic information
RSA enVision provides regular updates of vulnerabilities, IDS signatures, event knowledge and correlation rules Detailed library of background information
IDS
VA Scanner
Analyst
RSA enVision
Alert
Agenda
Detecting High-Risk Incidents Streamlining the Incident Handling Process Measuring M i th the V Value l of f Security Operations
Incident rate
Summary Benefits
Reduced risk
Optimize network performance by identifying issues and faulty equipment Assist IT managers with Helpdesk Operations by:
helping reveal what is going on in the network. providing global views of all network activity alerting them to network problems automatically providing them with customised Dashboards of
essential information
F lt management Fault t
Use alerts to Highlight potential network problems when deviations from standard baseline activity y occur Integration with IT operations systems (e.g. EMC SMARTS) helps enable detection and response to faults
E ample Read/Write failures, Example: fail res po power er spikes spikes, fan fail failure re
Generate Alerts if observed activity stops on any important asset (device or application may be down)
28
RSA enVision provides helpdesk operations with a clearer view i of f what h t events t are taking t ki place l i in th the network: t k
29
That affect users That affect hardware/ software That affects business systems
30
IT Operations in multi-national organization spent 3 days trying to establish why an executive could not log onto the network User had logged off, changed his password, could not log back on Several IT staff looked at this problem for 3 days Eventually they ran a report on RSA enVision looking at all logs for user globally over past 6 months Within 15 minutes, established that manager had travelled to Singapore, had logged onto the network but had NOT logged off IT support logged user off network in Singapore and user could now log back onto the network with new password!
Generate An ALERT! 31
helping reveal what is going on in the network. providing global views of all network activity alerting them to network problems automatically providing them with customized Dashboards of essential information providing a tool for detailed forensic work
Gives IT & Network Operations visibility into specific behavioural aspects of individuals or groups of users
32
RSA enVision
Stand-alone Appliances to Distributed Solutions
300,000 30000 10000 7500
EPS
LS S Series i
ES Series
5000 2500 1000
# DEVICES
2048 30,000
Baseline
Correlated Alerts
Report
Realtime A l i Analysis
Forensics
Interactive Query
Event Explorer
Analyze Manage
Collect Collect Collect
UDS
Windows Server Netscreen Firewall Cisco IPS Juniper IDP Microsoft ISS Trend Micro Antivirus Device Device
Legacy